Leveraging SEC's Cyber Rules for (Public and Private) Business Success

The upcoming SEC breach disclosure rules give security executives an opportunity to connect security issues to the board’s risk oversight and strategic leadership responsibilities. This can contextualize security in terms of revenues and profits, shifting infosec from an “IT problem” to an “enterprise risk management matter” to a “core part of business strategy.”

This piece explains how progressing on this journey requires proactive compliance with emerging regulations like the pending SEC cyber disclosure rules, whether your organization is public or private.

Impact of New SEC Cyber Rules on Public and Private Companies 

Whether your business is one of the 6,000+ publicly listed companies that will be required to comply with the upcoming SEC cyber breach disclosure rules or is a private organization, the rules create an opportunity to elevate cyber’s role in the business.

While private companies are not directly subject to SEC registration, reporting and disclosure requirements, these same companies are increasingly targeted by adversarial threat sources and subject to the same accidental, structural and environmental threat sources that public companies face. Effective governance at all levels of the business is critical.

Getting one’s cyber-risk management ducks in a row is not just for SEC-regulated companies. Instead of approaching the rules as an increased compliance burden, treat them as a guide to developing more sophisticated governance and risk management capabilities with leadership. These rules provide business-focused ammunition to get security buy-in from the management team and board.

Adopt All SEC Cyber Requirements as Best Practices 

The specific proposed changes in the SEC rulemaking are:

• Reporting of Cybersecurity Incidents on Form 8-K
• Disclosure about Cybersecurity Incidents in Periodic Reports
• Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks
• Disclosure Regarding the Board of Directors’ Cybersecurity Expertise
  

The first two requirements are about timely reporting, and in the case of Form 8-Ks, they must be filed within four days of a material cyber event. Organizations should get used to increasingly tighter reporting time frames, especially given similar existing and emerging requirements in NYDFS, GDPR, CIRCIA, DFARS/CMMC, NCUA, etc.

Regarding disclosure of “Risk Management, Strategy and Governance Regarding Cybersecurity Risks,” risk oversight is one of the top three responsibilities of a board of directors, along with strategy and leadership. Disclosing information about risk and risk management oversight is not new to public company boards. Public company boards have had to disclose their role in overall risk oversight since Feb. 28, 2010, according to an SEC final rule, Proxy Disclosure Requirements. As another specific example of risk-related disclosure, audit committees of New York Stock Exchange-listed companies must disclose policies concerning risk assessment and risk management. Private companies should follow suit and establish, implement and mature an enterprise cyber-risk management (ECRM) program and resultant cybersecurity strategy.

And finally, independent of disclosure requirements, all boards of all organizations should have access to or add cybersecurity expertise to their boards, given the existential risks that cyber threats now present to all businesses in all industries. As a profession, cybersecurity is immature compared to the more mature taxonomy of knowledge, skills, abilities and certifications in finance and accounting. A “skills matrix” for someone with “cybersecurity expertise” would include broader attributes, rather than cyber certifications, to avoid onboarding a single-purpose director and instead, find someone who can contribute to fulfilling other board oversight responsibilities.

Complying with all or any of the SEC requirements should mean a refreshed board agenda that includes risk-based, business-enabling topics such as: 1) Your Top Risks and Treatment; 2) Advancement in Your Program/Strategy Development; and 3) Ongoing Board Education.

Why Private Companies Should Comply with SEC Cyber Rules 

Complying with the upcoming SEC rules as a private business is a strategic decision, requiring leadership buy-in. Doing so can advance your security program, but you need to make a business case to get the cross-functional cooperation you need to strengthen governance and risk management. These issues can drive the conversations you need to have to get the cooperation you need:

• The SEC has the authority to investigate all companies that seek to raise capital from U.S. investors: Among other avenues, investors in private companies often exit by way of an initial public offering (IPO) and going public. SEC's oversight includes all public and private companies making any false or misleading statements as part of an offering process. Any private company would be required to provide responses to the proposed SEC cybersecurity disclosures in their registration statement. Therefore, private companies should eagerly work on their cybersecurity and cyber-risk management program to be able to tell a proactive and progressive story to their prospective investors, responsive to the SEC’s proposed cyber disclosures. As the authors point out in “The SEC Takes Aim at the Public-Private Disclosure Gap,” “… the line between ’investors’ and the ’public’ has blurred in recent decades, as a majority of the American public is now exposed to both public and private market risk through pension funds, education savings plans, and company retirement programs.”
• A strategic acquirer of a private company may already be public and currently subject to SEC disclosure requirements: In this case, any potential acquirer would already be filing required cyber-related reports and disclosures and would place value on any private company efforts not only easily to make the disclosures, but, more importantly, have a mature ECRM program in place. According to a recent Forescout report, 48% of business leaders encountered a critical cyber issue or incident during an M&A transaction that jeopardized the deal. Private companies should be attentive to the SEC’s proposed cyber disclosures and what’s driving them—better enterprise cyber-risk management.
• Forget about acquisitions and IPOs; take care of your current stakeholders: The content of the proposed SEC disclosure requirements is necessary for investors. At the same time, they are a means to an end—driving improvements in cyber-risk management. Private companies and nonprofit organizations have customers, perhaps patients, investors, bankers, insurers, employees and regulators (think: HIPAA, GDPR, CMMC, GLBA, FERPA, etc.), all of whom expect your organization to have and benefit from a robust cyber-risk management program.
• The cost of capital is lower for all organizations that establish, implement and mature an ECRM program: Credit-rating agencies—including Standard and Poor’s, (S&P) Moody’s, and Fitch Group—have all implemented consideration of the financial impact of a cyberattack on an organization’s credit rating. Moody’s downgraded the credit rating for Equifax from “stable” to “negative” based on the immense data breach the company experienced in 2017. SolarWinds had its rating lowered by S&P from a B+ to a B rating in April of last year after a cyberattack in 2020. The proposed SEC cyber disclosure requirements provide a North Star for improved cybersecurity and, therefore, access to capital at a lower cost, whether you are private or public.
• Most private companies are part of public company supply chains: Even though you may be part of a private company, your customers and vendors may be public companies. When the proposed SEC cyber disclosure requirements are finalized, expect to have your public company stakeholders raise the ante in terms of your incident response and reporting to them. In healthcare, similar requirements were tightened when the Omnibus Final Rule codifying the HITECH Act was published in the Federal Register in 2013. Along with public companies, private companies and nonprofit organizations must strengthen their cyber-risk management programs and be more transparent. Public companies are likely to become more discriminating about the partners with whom they choose to work, looking for them to disclose detailed information like that proposed by the SEC about their cyber-risk management programs.
• Manage talent risk in the new world: the pandemic, the “Great Resignation,” big tech layoffs and “quiet quitting” have created a new set of dynamics for organizations striving to attract and retain talent for their organizations. Organizations with tainted reputations due to material cyber incidents will likely have a more difficult time with talent management—now a board issue. Existing workforce members and candidates may conclude that management and the board either don’t know or don’t care about managing cyber-risks. Who wants to work there? In general, members across the workforce will think twice. A Harvard Business Review article highlighted “79% of employees who trust their employer are more motivated to work and less likely to leave.“ Specific to cybersecurity talent, how competitive will your company be in attracting cybersecurity professionals in the face of the current shortage of 3.4 million cybersecurity workers worldwide?
• Manage the expectations of your board members from public companies: Many private and nonprofit organizations benefit from having their board members serve as executives or directors of public companies. As such, they bring to their private companies and nonprofit organizations boards the order, process and discipline around regulatory compliance they expect in their public companies. After all, all board members in all companies have fiduciary responsibilities. They see the value of transparency and its importance to all stakeholders. They realize public company requirements, like the proposed SEC cyber disclosure requirements, may be a harbinger for all organizations.
  

Tips to Educate Your Executives and Board on SEC Cyber Rules 

Once you have buy-in on applying the SEC rules to your business, it’s time to have practical conversations about how to comply. Here are several starter questions about complying with the proposed SEC cyber disclosure changes, whether your company is public or private:

• What team of executives should be assembled to examine these requirements, monitor the rule change process and report to the board?
• What is the current state of your cyber incident response and reporting practices today? Do you have reasonable and appropriate policies, procedures and forms to ensure documentation and follow-up?
• Does your organization regularly and consistently conduct tabletop exercises to test your incident response program?
• Is your ECRM strategy formalized and documented? Are you comfortable disclosing your ECRM strategy to investors?
• Would your organization’s current risk assessment/risk management work products meet national or international standards, such as those promulgated by NIST or ISO?
• What is the level of cybersecurity expertise on your board today? Can anyone on the board understand ECRM issues? Are you comfortable today disclosing your board’s cybersecurity expertise to investors?
• Given your organization’s current industry, “crown jewels,” attack surface and ECRM strategy, would your investors conclude that you have the correct cybersecurity expertise on your board?
  

Your enterprise cyber-risk management program and cybersecurity strategy can support your strategic business objectives and growth. If we’ve reached the board by connecting to their risk oversight responsibilities, we can better connect on one of their other top three responsibilities—strategy—which is usually about growing revenues and profits. Pivoting from an “IT problem” to an “enterprise risk management matter” to a “core part of business strategy” requires proactive compliance with emerging regulations, like the pending SEC cyber disclosure rules, whether your organization is public or private.

CISOs as Board Directors 

On boards lacking cyber understanding CISOs appear to be logical candidates to fill this gap. However, CISO board readiness varies widely to serve as effective board members.

Download our CISOs as Board Directors, CISO Board Readiness Report to access research-backed findings on the 5 key traits of cyber board directors.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.